Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
51s -
max time network
72s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
03/03/2023, 18:56
Static task
static1
Behavioral task
behavioral1
Sample
b858057f8b6bdda8598fa1c04fd537d73f402bd06a7bb3559b2c49c8198a0446.exe
Resource
win10-20230220-en
General
-
Target
b858057f8b6bdda8598fa1c04fd537d73f402bd06a7bb3559b2c49c8198a0446.exe
-
Size
658KB
-
MD5
2b41383e82245967013a0aa7a20c10c9
-
SHA1
f8b6c766616a9c2e547cac8972fd425f528fdf46
-
SHA256
b858057f8b6bdda8598fa1c04fd537d73f402bd06a7bb3559b2c49c8198a0446
-
SHA512
c5691ee9657b5ef3e7043a393b69d1549d6c7cde0afa32d6548e6d00a226c2fa88f718500d27aa48ce34fcdfda5db69ef62fa6c2202c31c1e62d4549744879a7
-
SSDEEP
12288:rMrYy90eOluVMGvDHZ6rv9Nnfg81JINfeg5RJIqP5gq2Hx6tAwM:fyBO0VMegRfyV5f5soM
Malware Config
Extracted
redline
rosto
hueref.eu:4162
-
auth_value
07d81eba8cad42bbd0ae60042d48eac6
Extracted
redline
foksa
hueref.eu:4162
-
auth_value
6a9b2601a21672b285de3ed41b5402e4
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" urri86xi96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" urri86xi96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" urri86xi96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" urri86xi96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" urri86xi96.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 22 IoCs
resource yara_rule behavioral1/memory/4316-179-0x0000000002370000-0x00000000023B6000-memory.dmp family_redline behavioral1/memory/4316-180-0x0000000004B10000-0x0000000004B54000-memory.dmp family_redline behavioral1/memory/4316-181-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4316-182-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4316-184-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4316-186-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4316-188-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4316-190-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4316-192-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4316-194-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4316-196-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4316-198-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4316-200-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4316-202-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4316-204-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4316-206-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4316-208-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4316-210-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4316-212-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4316-214-0x0000000004B10000-0x0000000004B4E000-memory.dmp family_redline behavioral1/memory/4316-435-0x0000000004C50000-0x0000000004C60000-memory.dmp family_redline behavioral1/memory/4316-439-0x0000000004C50000-0x0000000004C60000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 4156 ycaR53IP12.exe 996 urri86xi96.exe 4316 wrib65HE10.exe 4032 xuRy39zg96.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features urri86xi96.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" urri86xi96.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b858057f8b6bdda8598fa1c04fd537d73f402bd06a7bb3559b2c49c8198a0446.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ycaR53IP12.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ycaR53IP12.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce b858057f8b6bdda8598fa1c04fd537d73f402bd06a7bb3559b2c49c8198a0446.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 996 urri86xi96.exe 996 urri86xi96.exe 4316 wrib65HE10.exe 4316 wrib65HE10.exe 4032 xuRy39zg96.exe 4032 xuRy39zg96.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 996 urri86xi96.exe Token: SeDebugPrivilege 4316 wrib65HE10.exe Token: SeDebugPrivilege 4032 xuRy39zg96.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4212 wrote to memory of 4156 4212 b858057f8b6bdda8598fa1c04fd537d73f402bd06a7bb3559b2c49c8198a0446.exe 66 PID 4212 wrote to memory of 4156 4212 b858057f8b6bdda8598fa1c04fd537d73f402bd06a7bb3559b2c49c8198a0446.exe 66 PID 4212 wrote to memory of 4156 4212 b858057f8b6bdda8598fa1c04fd537d73f402bd06a7bb3559b2c49c8198a0446.exe 66 PID 4156 wrote to memory of 996 4156 ycaR53IP12.exe 67 PID 4156 wrote to memory of 996 4156 ycaR53IP12.exe 67 PID 4156 wrote to memory of 996 4156 ycaR53IP12.exe 67 PID 4156 wrote to memory of 4316 4156 ycaR53IP12.exe 68 PID 4156 wrote to memory of 4316 4156 ycaR53IP12.exe 68 PID 4156 wrote to memory of 4316 4156 ycaR53IP12.exe 68 PID 4212 wrote to memory of 4032 4212 b858057f8b6bdda8598fa1c04fd537d73f402bd06a7bb3559b2c49c8198a0446.exe 70 PID 4212 wrote to memory of 4032 4212 b858057f8b6bdda8598fa1c04fd537d73f402bd06a7bb3559b2c49c8198a0446.exe 70 PID 4212 wrote to memory of 4032 4212 b858057f8b6bdda8598fa1c04fd537d73f402bd06a7bb3559b2c49c8198a0446.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\b858057f8b6bdda8598fa1c04fd537d73f402bd06a7bb3559b2c49c8198a0446.exe"C:\Users\Admin\AppData\Local\Temp\b858057f8b6bdda8598fa1c04fd537d73f402bd06a7bb3559b2c49c8198a0446.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycaR53IP12.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycaR53IP12.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urri86xi96.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urri86xi96.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrib65HE10.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrib65HE10.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4316
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xuRy39zg96.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xuRy39zg96.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4032
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD575ced8ad0d8cd237ebc9cb7b00852651
SHA1adab63df3e0a40fd9f170ab57da66f01f226141c
SHA256a35a264162c124ffd066dd867ed96359131d37b243cb0445c1c9eba6a58de819
SHA512f565a49b14671683a1e48cece82a437a79bf8bdb456a3c6f35fac020e5fef3cd666399208633b7d2da9407f7b334a311a416b0a969c8b62ff28e15e7d4a0c431
-
Filesize
175KB
MD575ced8ad0d8cd237ebc9cb7b00852651
SHA1adab63df3e0a40fd9f170ab57da66f01f226141c
SHA256a35a264162c124ffd066dd867ed96359131d37b243cb0445c1c9eba6a58de819
SHA512f565a49b14671683a1e48cece82a437a79bf8bdb456a3c6f35fac020e5fef3cd666399208633b7d2da9407f7b334a311a416b0a969c8b62ff28e15e7d4a0c431
-
Filesize
513KB
MD555feb4a464a21228169d5e08da534eec
SHA132394b22d361d39ecd13d6288045d31ae368c9cf
SHA25679835e1183963c5f05b813b3678ac46e5d3ac21f4855024bdd6ac96638bdd040
SHA512dd959c47284b5468f1113ec888a4fcb539ee5ca0a2420f6528d4785c39a0ed26f7061b7d44e55c53564c59c254c55469c783b73936e886d9f737a0ecc57cf2dd
-
Filesize
513KB
MD555feb4a464a21228169d5e08da534eec
SHA132394b22d361d39ecd13d6288045d31ae368c9cf
SHA25679835e1183963c5f05b813b3678ac46e5d3ac21f4855024bdd6ac96638bdd040
SHA512dd959c47284b5468f1113ec888a4fcb539ee5ca0a2420f6528d4785c39a0ed26f7061b7d44e55c53564c59c254c55469c783b73936e886d9f737a0ecc57cf2dd
-
Filesize
231KB
MD522b881080c5443070fcb5bf47fd14536
SHA19a81a5c111385c1d3bde3e017a553c55b9e8f376
SHA25677d200f4afd1696760e4a0fd4f7ff8fbe2023789bbfb424b45a9805e50e3ea25
SHA5127dfa621e59c40f5535f8cbd4ad453873b73b6e070baa0148abfc7063e9b2bc56a2773abc3a58642f50d8bdcb35c6ead0e0505fd49fe7733e05763396d88bc0c3
-
Filesize
231KB
MD522b881080c5443070fcb5bf47fd14536
SHA19a81a5c111385c1d3bde3e017a553c55b9e8f376
SHA25677d200f4afd1696760e4a0fd4f7ff8fbe2023789bbfb424b45a9805e50e3ea25
SHA5127dfa621e59c40f5535f8cbd4ad453873b73b6e070baa0148abfc7063e9b2bc56a2773abc3a58642f50d8bdcb35c6ead0e0505fd49fe7733e05763396d88bc0c3
-
Filesize
289KB
MD5f719d70ebe5b666b482c91b61516218e
SHA161da23978f14b2ef38e7d14113172346145fe6ba
SHA256439904dbd91520dd5e82eb107d025d3f0e7a74e30f1e1743976c046d5b28e568
SHA512be894aa89bf97710e2eeb77425880a452abffebdc742c3426222aa433d558636398b36df659d6cea3eae614a1a5fc624da514f17074bcf8034039ddb1a12ee72
-
Filesize
289KB
MD5f719d70ebe5b666b482c91b61516218e
SHA161da23978f14b2ef38e7d14113172346145fe6ba
SHA256439904dbd91520dd5e82eb107d025d3f0e7a74e30f1e1743976c046d5b28e568
SHA512be894aa89bf97710e2eeb77425880a452abffebdc742c3426222aa433d558636398b36df659d6cea3eae614a1a5fc624da514f17074bcf8034039ddb1a12ee72